Native client authenticate using Authorization Code flow

Questions
1

Trying to implement SSO in a SaaS application that has a Web Interface as well as a desktop application - both of which are backed by common Rest APIs. Authorization Code flow for Web interface is straightforward, the issue I’m having is desktop app (i.e. Native client).

OAuth2/OIDC recommended flow is ROPC, however, its considered as the absolute last resort. On top of that it doesn’t support MFA, which is a big issue since MFA is used quite often. Another issue being different sign-in flows between Web UI and Desktop app, which could confuse users.

That’s why I’ve been looking into Authorization code flow for desktop app as well. Since Google doesn’t support embedded browser views, that leaves me with opening OS default browser for sign-in. Typically, how it’s done is that my app will temporarily start listening on a local port and that localhost/port url will be specified as redirect/callback uri after authentication. As soon authentication is done, my desktop app (listening on localhost) will get an http request and my app will be able to figure out whether the login was successful or not, as well as the authorization code. That can then be sent over the Rest API to the backend to complete the login sequence.

Apparently, okta does not support redirecting to localhost, so seems like i’ve run into a dead end. Can I use a local IP instead e.g. 127.0.0.1 or even that isn’t allowed?

Anyone from okta who can direct me to the proper solution?

2

What makes you think Okta doesn’t allow redirecting to localhost? Most of the examples on our developer blog redirect to localhost. It works for me! :slight_smile:

1 Like
3

You’re right. Actually, I’ve been reading integration guides of several IdP and got this point mixed up with another one. Still, I’m confused why don’t they allow it, is it a perceived security issue? if so, there is a chance okta might disallow it in the future as well.

Since i’m bound by the minimum common feature set, I need to workaround this and here’s what I’ve come up with, please point out any design/security issue:

  1. When user clicks on SSO button in desktop app. I open the browser to my website’s SSO login page and also provide localhost uri
  2. My SSO page saves the localhost uri in memcache and asks for email, then looks up the IdP and redirects to IdP login page.
  3. After successfull login, the user is redirected back to my website, which in turn redirects the user to stored localhost uri.

A major benefit of this method is that I can register one callback URI with IdP and obviously don’t have to worry about localhost limitation anymore.